Author Topic: Bypass Sandbox by logging off Win10 with COMODO build 8012  (Read 2083 times)

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Bypass Sandbox by logging off Win10 with COMODO build 8012
« on: March 27, 2022, 09:14:27 AM »
Windows 10 21H2 X64
COMODO Firewall v12.2.2.8012

Case 1: With default Sandbox enabled (Fully Virtualized), the sample makes the OS log off, means bypassed the Sandbox.
Case 2: Adding rule to Sandbox the sample in the containment setting and change the restriction level to Partially Limited, the result is same as the above case 1, means bypassed the Sandbox.
Case 3: Adding rule to Sandbox the sample in the containment setting and change the restriction level to Limited or above, the sample can be blocked successfully.

In summary:
The default setting (Fully Virtualized) which can either be triggered automatically or by the right click context menu "running in the sandbox" can not block the operations of this sample leading to the bypass. Besides, the Partially Limited restriction also can not block the operations.

Here is the recorded video:
https://vimeo.com/692917748

PM for the sample if anyone who want to test.


« Last Edit: March 27, 2022, 09:25:36 PM by Redstraw »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5358
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #1 on: March 27, 2022, 09:48:15 AM »
Yes, Internet config does not prevent shutdown/restart/logoff as it does not contain a specific token privilege added to the protected COM interfaces list, also being able to shutdown/restart/log off is not considered a security issue. This is one of the reasons to get the most protection is to use the proactive config and make tweaks from that baseline configuration. The token privilege is the Shutdown privilege which can be added to the protected COM interfaces using the string LocalSecurityAuthority.Shutdown

Edit: log off is not prevented even with proactive but again not really a security issue.
« Last Edit: March 27, 2022, 10:07:02 AM by futuretech »

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #2 on: March 27, 2022, 09:03:15 PM »
Yes, Internet config does not prevent shutdown/restart/logoff as it does not contain a specific token privilege added to the protected COM interfaces list, also being able to shutdown/restart/log off is not considered a security issue. This is one of the reasons to get the most protection is to use the proactive config and make tweaks from that baseline configuration. The token privilege is the Shutdown privilege which can be added to the protected COM interfaces using the string LocalSecurityAuthority.Shutdown

Edit: log off is not prevented even with proactive but again not really a security issue.

I am really confused that why the OS is logged off or shut down by a malware is not considered as a security issue. :-\

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1806
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #3 on: March 28, 2022, 07:41:05 AM »
I think that such malware has no benefit from only shutting down or logging off a system as long as it does not cause any permanent changes or damage to the system.
Normally malware likes to harvest personal data or to collect you money. :)

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #4 on: March 28, 2022, 08:29:20 AM »
I think that such malware has no benefit from only shutting down or logging off a system as long as it does not cause any permanent changes or damage to the system.
Normally malware likes to harvest personal data or to collect you money. :)

But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 917
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #5 on: March 28, 2022, 09:05:52 AM »
But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.
Hi Redstraw,

We are checking on this.

Thanks
C.O.M.O.D.O RT

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1806
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #6 on: March 28, 2022, 09:26:31 AM »
But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.

Nowadays almost every application has some kind of auto-save function build-in to prevent severe data loss in case the application crashes due to application software failures or maybe due to malware shutting down or logging off a system, you would lose only a few minutes of your work or so (depending on the auto-save function timer setting).
I wouldn't have sleepless nights regarding this. ;)
« Last Edit: March 28, 2022, 09:29:07 AM by CISfan »

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #7 on: March 28, 2022, 10:49:32 AM »
Nowadays almost every application has some kind of auto-save function build-in to prevent severe data loss in case the application crashes due to application software failures or maybe due to malware shutting down or logging off a system, you would lose only a few minutes of your work or so (depending on the auto-save function timer setting).
I wouldn't have sleepless nights regarding this. ;)

I don't entirely rely on that automatic saving function.
Last year when I was editing my bibliography with EndNote, which contained 4k+ entries, a sudden shutting down of the OS totally damaged the bibliography database, which I had collected for assisting my study for many years. I think you will be sleepless if you have also suffered such accident.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1806
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #8 on: March 28, 2022, 11:16:48 AM »
I don't entirely rely on that automatic saving function.
Last year when I was editing my bibliography with EndNote, which contained 4k+ entries, a sudden shutting down of the OS totally damaged the bibliography database, which I had collected for assisting my study for many years. I think you will be sleepless if you have also suffered such accident.

Sure I would be sleepless too after such drama. But on the other hand when I work on something on my PC I always do save the work manually at regular time intervals just to prevent that due to unexpected OS or application crashes I would loose too much work.
Pressing "Ctrl+S" regularly to save the work doesn't take much effort for me.

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #9 on: March 28, 2022, 07:37:59 PM »
Sure I would be sleepless too after such drama. But on the other hand when I work on something on my PC I always do save the work manually at regular time intervals just to prevent that due to unexpected OS or application crashes I would loose too much work.
Pressing "Ctrl+S" regularly to save the work doesn't take much effort for me.

First, the damage of my bibliography database had nothing to do with whether it was regularly saved or not. It was damaged/corrupted instead of simple incremental data loss due to sudden shut down of the OS.

Second, as a veteran of doing office work and an experienced user I don't need anyone to teach me how to save a file either by automatically or manually.

Finally and most importantly, please concentrate on the subject of this thread.
« Last Edit: March 28, 2022, 07:45:45 PM by Redstraw »

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 143
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #10 on: March 28, 2022, 08:53:49 PM »
Hi Guys! I was kindly given the file in discussion by RedStraw (thanks again!). Although I ran it on the same system (x64 with CF build 8012) I was unable to note any changes with the Sandbox set at any level.

Although the malware was coded to do a number of things (like screwing with 360 and Minecraft), it did contain scripts that will shutdown the system (like shutdown -s -t 15). Regarding this one, note that by running the script directly from cmd, or converting it to a batch file will indeed shut the system down- understandably so as this is a legitimate windows command and will not be detected by ANYTHING) God forbid it it was- we would be left with hard shutdowns and resets).

However if we were to save that script as a batch file and run that in the sandbox nothing will happen at all. Further, if we were to screw with the batch file and convert it to an executable it would then be detected as unknown and fully contained.

Another command coded within the file was a string (del -f -d -q) to delete any 360 directories and files found on the system, which will also be stopped by containment but not if run directly.The malware did a few other bot interesting things but all containment is more than capable of suppressing.

So, in short, your bibliography will be safe unless you delete it yourself.

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 499
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #11 on: March 28, 2022, 11:02:12 PM »
Hi Guys! I was kindly given the file in discussion by RedStraw (thanks again!). Although I ran it on the same system (x64 with CF build 8012) I was unable to note any changes with the Sandbox set at any level.

Although the malware was coded to do a number of things (like screwing with 360 and Minecraft), it did contain scripts that will shutdown the system (like shutdown -s -t 15). Regarding this one, note that by running the script directly from cmd, or converting it to a batch file will indeed shut the system down- understandably so as this is a legitimate windows command and will not be detected by ANYTHING) God forbid it it was- we would be left with hard shutdowns and resets).

However if we were to save that script as a batch file and run that in the sandbox nothing will happen at all. Further, if we were to screw with the batch file and convert it to an executable it would then be detected as unknown and fully contained.

Another command coded within the file was a string (del -f -d -q) to delete any 360 directories and files found on the system, which will also be stopped by containment but not if run directly.The malware did a few other bot interesting things but all containment is more than capable of suppressing.

So, in short, your bibliography will be safe unless you delete it yourself.

Interesting, can you share your testing with a video contains the test process and the settings of CIS or CFW?

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 629
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #12 on: March 28, 2022, 11:39:05 PM »
So, in short, your bibliography will be safe unless you delete it yourself.

That's the difference! Someone who knows how to handle cis.

We don't know, what else anyone does do anymore.

I modified cruelsister's configuration and containment and cis protected me by now in a reliable way: "Another PC is trying to remotely control your computer - we have stopped containment....and....." was the was the sharpest weapon so far against foreign influence.

By the way, cisfan is right. I would save such important work several times on several storage media . This has nothing to do with the topic, but a shutdown really wouldn't be a security issue in short regular intervals..

« Last Edit: March 28, 2022, 11:46:58 PM by prodex »

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 143
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #13 on: March 29, 2022, 09:22:59 AM »
Interesting, can you share your testing with a video contains the test process and the settings of CIS or CFW?
I've given up making videos (nobody watched them anyway) but this one would be rather boring as both malware samples you submitted could not run. I use CF at my preferred settings which can be found everywhere. Keep in mind that you don't want to make the setup fancy with unnecessary tweaks as simple is the best. So please setup CF accordingly and re-run those samples if you find the time.

But on the topic of malware not being able to activate, an increasing number of malware including things in the news recently (like Cobalt, Vidar, Trickbot to name a few) have had coded into them a function that will inventory the victim's system and if cmdvrt64.dll (Comodo driver) is found the malware shuts down. In short if Comodo is installed-even with all components disabled- some current malware will not even run. I read many Comodo complaints on this Forum but nothing about this.
« Last Edit: March 29, 2022, 09:30:02 AM by cruelsister »

Offline victorlopes

  • Comodo Loves me
  • ****
  • Posts: 121
Re: Bypass Sandbox by logging off Win10 with COMODO build 8012
« Reply #14 on: March 29, 2022, 10:59:16 AM »
I've given up making videos (nobody watched them anyway) but this one would be rather boring as both malware samples you submitted could not run. I use CF at my preferred settings which can be found everywhere. Keep in mind that you don't want to make the setup fancy with unnecessary tweaks as simple is the best. So please setup CF accordingly and re-run those samples if you find the time.

But on the topic of malware not being able to activate, an increasing number of malware including things in the news recently (like Cobalt, Vidar, Trickbot to name a few) have had coded into them a function that will inventory the victim's system and if cmdvrt64.dll (Comodo driver) is found the malware shuts down. In short if Comodo is installed-even with all components disabled- some current malware will not even run. I read many Comodo complaints on this Forum but nothing about this.

girl, youre great and we all love your feedbacks... sorry to ask, but... why dont you enter cis team to work improving it? we all trust in you and you seem to have the skills to make cis great again.. what about that Melih? she could be a great plus on the team..

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek